Mobile device operating systems, such as Apple's iOS or Google's Android operating system, provide a Kerberos framework. This Kerberos framework allows for applications executing on the mobile device to use Kerberos for authentication of the mobile device or authentication of a user of the mobile device. However, Kerberos requires that a client communicate directly with a Key Distribution Center (KDC) for authentication. In order for mobile devices operating external to the KDC's network to authenticate using Kerberos (for example, a mobile device connecting across the public internet to a corporate network hosting the KDC), mobile devices are often required to first connect to the KDC's network through a virtual private network (VPN) connection. This allows for secure communications between external mobile devices and the KDC without having to make the KDC directly accessible to external devices.
VPNs have a number of benefits and drawbacks. VPNs offer a highly secure channel between two networks or between a mobile device and network the mobile device wishes to access. However, the processing required to encrypt the request traveling over the VPN connection often reduces the available bandwidth as the router and/or VPN server encrypts and decrypts individual network packets. Moreover, VPN connections can be unreliable. For example, a coffee shop might block commonly used ports related to Internet Protocol security extensions (IPSec) or commonly used ports related to popular secure sockets layer (SSL) VPN implementations.
Further, the use of VPNs by mobile applications can be constrained by the operating system. For example, many mobile devices limit or otherwise restrict the execution of or functionality of background processes (including VPNs). These restrictions are intended to preserve the battery life of a mobile device by limiting the execution of background processes and, therefore, the use of computing resource that would drain the battery.